From 0e69c73e24dc10cb8c085302b35f3ad85375ab1f Mon Sep 17 00:00:00 2001
From: Johannes Faltermeier <jfaltermeier@eclipsesource.com>
Date: Fri, 19 Jul 2024 15:17:42 +0200
Subject: [PATCH] Check Workspace Owner when launching non-ephemeral Sessions

---
 .../operator/handler/session/LazySessionHandler.java     | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/java/operator/org.eclipse.theia.cloud.operator/src/main/java/org/eclipse/theia/cloud/operator/handler/session/LazySessionHandler.java b/java/operator/org.eclipse.theia.cloud.operator/src/main/java/org/eclipse/theia/cloud/operator/handler/session/LazySessionHandler.java
index 312cdcf0..88100f95 100644
--- a/java/operator/org.eclipse.theia.cloud.operator/src/main/java/org/eclipse/theia/cloud/operator/handler/session/LazySessionHandler.java
+++ b/java/operator/org.eclipse.theia.cloud.operator/src/main/java/org/eclipse/theia/cloud/operator/handler/session/LazySessionHandler.java
@@ -348,6 +348,15 @@ protected Optional<String> getStorageName(Session session, String correlationId)
             return Optional.empty();
 
         }
+        if (!session.getSpec().getUser().equals(workspace.get().getSpec().getUser())) {
+            // the workspace is owned by a different user. do not mount and go ephemeral
+            // should get prevented by service, but we need to be sure to not expose data
+            LOGGER.error(formatLogMessage(correlationId,
+                    "Workspace is owned by " + workspace.get().getSpec().getUser() + ", but requesting user is "
+                            + session.getSpec().getUser()));
+            return Optional.empty();
+        }
+
         String storageName = WorkspaceUtil.getStorageName(workspace.get());
         if (!client.persistentVolumeClaimsClient().has(storageName)) {
             LOGGER.info(formatLogMessage(correlationId,